all: use entrypoint id remapping instead

Switch everything to use entrypoint remapping. Use dumb-init to clean up any potential forks and gosu to switch user and execute command. Gosu is preferred over standard su because it ignores command line arguments and handles shell commands as well as binary paths. This uses the internal user and group "developer". Signed-off-by: Randolph Sapp <rs@ti.com>
nmenon · Apr 11, 2024 · 00bbc47 · 00bbc47
1 parent 8cb4f58
commit 00bbc47
Show file tree

Hide file tree

Showing 6 changed files with 77 additions and 23 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -22,10 +22,12 @@ RUN apt-get update \
  ca-certificates \
  ccache \
  diffstat \
+ dumb-init \
  flex \
  gcc \
  gettext \
  gnupg2 \
+ gosu \
  libcurl4-gnutls-dev \
  libelf-dev \
  libexpat1-dev \
@@ -89,6 +91,18 @@ RUN apt-get update \
 
 COPY other-configs/ /
 
+RUN echo "**** create developer user and make our folders ****" \
+ && useradd -u 1000 -U -d /config -s /bin/false developer \
+ && usermod -G users developer \
+ && mkdir /workdir && chown developer:developer /workdir \
+ && mkdir /config && chown developer:developer /config
+
+ENTRYPOINT ["/init"]
+
+CMD ["/usr/bin/bash"]
+
+VOLUME /workdir
+
 COPY kernel_patch_verify /usr/bin/kernel_patch_verify
 
 WORKDIR /workdir
diff --git a/kernel_patch_verify b/kernel_patch_verify
@@ -26,6 +26,11 @@
 source /etc/profile
 shopt -s expand_aliases
 
+# extend the path with the supplied extra directories
+if [ -n "$KP_PATH" ]; then
+ export PATH=${KP_PATH}:${PATH}
+fi
+
 ccache=$(which ccache)
 
 # We would rather that we hit cache more often, than rebuild..

diff --git a/kp_common b/kp_common
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-export USER_ID GROUP_ID PATH DOCKER_MOUNT_DIRS IMAGE_ID
+export DOCKER_MOUNT_DIRS IMG_NAME KP_PATH
 
 # Check if Docker image exists
 
@@ -38,9 +38,6 @@ else
  fi
 fi
 
-USER_ID=$(id -u)
-GROUP_ID=$(id -g)
-
 DOCKER_MOUNT_DIRS=()
 DOCKER_MOUNT_DIRS+=(-v /tmp:/tmp)
 DOCKER_MOUNT_DIRS+=(-v /opt:/opt)
@@ -57,11 +54,14 @@ if [ "$GIT_WORKTREE_COMMONDIR" != ".git" ]; then
  DOCKER_MOUNT_DIRS+=(-v "$GIT_WORKTREE_COMMONDIR":"$GIT_WORKTREE_COMMONDIR")
 fi
 
-# Run our image to add our swuser
-docker run "$IMG_NAME" /bin/bash -c "groupadd -r swuser -g $GROUP_ID && useradd -u $USER_ID -r -g swuser -d /workdir -s /sbin/nologin -c \"Docker kernel patch user\" swuser"
-# Get the container ID of the last run container (above)
-CONTAINER_ID=$(docker ps -lq)
-# Commit the container state (returns an image_id with sha256: prefix cut off)
-IMAGE_ID=$(docker commit "$CONTAINER_ID" | cut -c8-)
+# list of paths to append to the PATH variable in the container
+extra_paths=(
+ /workdir/scripts/dtc
+ /opt/cross-gcc-linux-13/bin
+ /opt/cross-gcc-linux-12/bin
+ /opt/cross-gcc-linux-11/bin
+ /opt/cross-gcc-linux-10/bin
+ /opt/cross-gcc-linux-9/bin
+)
 
-PATH=/workdir/scripts/dtc:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/opt/cross-gcc-linux-13/bin:/opt/cross-gcc-linux-12/bin:/opt/cross-gcc-linux-11/bin:/opt/cross-gcc-linux-10/bin:/opt/cross-gcc-linux-9/bin:/usr/local/cross-gcc-linux-9/bin:/usr/local/cross-gcc-linux-10/bin
+KP_PATH=$(IFS=:; printf '%s' "${extra_paths[*]}")
diff --git a/kps b/kps
@@ -4,11 +4,7 @@ source "$(dirname "$(readlink -f "$0")")/kp_common"
 
 # If we wanted to get to bash shell:
 docker run --rm -ti \
- --user "$USER_ID":"$GROUP_ID" \
- -e PATH \
+ -e KP_PATH -e CROSS_COMPILE -e ARCH \
  "${DOCKER_MOUNT_DIRS[@]}" \
- "$IMAGE_ID" \
+ "$IMG_NAME" \
  bash --init-file /etc/profile
-
-# TODO: we can reuse this image for future runs, for now just clean up after ourselves
-docker rmi "$IMAGE_ID"
diff --git a/kpv b/kpv
@@ -3,11 +3,7 @@
 source "$(dirname "$(readlink -f "$0")")/kp_common"
 
 docker run --rm -ti \
- --user "$USER_ID":"$GROUP_ID" \
- -e PATH \
+ -e KP_PATH -e CROSS_COMPILE -e ARCH \
  "${DOCKER_MOUNT_DIRS[@]}" \
- "$IMAGE_ID" \
+ "$IMG_NAME" \
  kernel_patch_verify -S /usr/local/smatch/bin/k_sm_check_script "$@"
-
-# TODO: we can reuse this image for future runs, for now just clean up after ourselves
-docker rmi "$IMAGE_ID"
diff --git a/other-configs/init b/other-configs/init
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+get_attribs() {
+ local file_stats file_to_test useful_attribs
+ if file_to_test=$(realpath "$1") && [[ $2 =~ ^[0-9]+$ ]] ; then
+ useful_attribs=$(stat "$file_to_test" -t)
+ read -r -a file_stats <<< "${useful_attribs#"$file_to_test"}"
+ echo "${file_stats["$2"]}"
+ else
+ return 1
+ fi
+}
+
+get_build_uid() {
+ get_attribs /workdir 3
+}
+
+get_build_gid() {
+ get_attribs /workdir 4
+}
+
+if NEW_GID=$(get_build_gid) && NEW_UID=$(get_build_uid); then
+ # bypass everything if podman is remapping the id to root
+ if [ "${NEW_UID}" == "0" ]; then
+ if [ "$(id -u)" == "0" ]; then
+ exec dumb-init -- "$@"
+ else
+ echo "Unable to resolve ns mapping!"
+ fi
+ fi
+
+ # change the uid and gid of developer otherwise
+ [ "$NEW_GID" != "$(id -g developer)" ] && groupmod -g "${NEW_GID}" developer
+ [ "$NEW_UID" != "$(id -u developer)" ] && usermod -u "${NEW_UID}" developer
+else
+ echo "Not able to detect UID/GID for remapping!"
+fi
+
+if [ "$(id -u)" == "$(id -u developer)" ]; then
+ exec dumb-init -- "$@"
+else
+ exec dumb-init -- gosu developer "$@"
+fi